MADRID, October 25, 2004 - PandaLabs has detected a new worm called Famus.B,
which uses so-called social engineering techniques to spread to users'
computers. Famus.B spreads via email in a message in English and Spanish
referring to the conflict in Iraq. To be more specific, it tries to trick
users into believing that the file contains photographs of these dramatic
events. This message has the following format:

Subject:
Iraq and the crime

Message body:
what is really happening in Iraq?
the pictures of the soldiers and prisoners in Iraq
foward this message.
everybody should know the truth.

If the user runs this file, Famus.B displays a false error message on screen
with the text: File corrupted or bad format. The worm also sends itself out
to all the addresses it finds in the files with a DOC, EML, HTM, and HTT
extension on the affected computer. To do this, it uses an SMTP engine that
it creates on the affected computer in the form of an OCX library file.

Finally, Famus.B creates an entry in the Windows Registry in order to ensure
that it is run whenever the affected computer is started up.
Even though Panda Software's Tech Support services have not received any
reports of incidents involving this worm, as it uses a current issue like
the conflict in Iraq, this worm is likely to start causing incidents soon.
For this reason, Panda Software advises users to take precautions and update
their antivirus software. Panda Software has made the corresponding updates
available to its clients to detect and disinfect this new malicious code.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL._________________RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd

MADRID, October 29, 2004 - PandaLabs has detected the appearance of the BC
variant of the Bagle worm. This new malicious code has started spreading
rapidly, causing numerous incidents in users' computers around the globe.
For this reason, Panda Software has declared an amber alert. Panda Software
clients that have already installed the new TruPrevent Technologies have
preventive protection against this worm, as they were able to detect and
block this new virus without needing to be able to identify it first (more
information about the new TruPrevent Technologies at
http://www.pandasoftware.com/truprevent).

Panda Software has made the corresponding updates available to its clients
to detect and disinfect this new malicious code.

Bagle.BC spreads rapidly via email. The messages carrying this worm have the
following characteristics:

What's more, Bagle.BC spoofs the address of the sender of the email message
that causes the infection.

If the user runs the attachment, Bagle.BC looks for email addresses to send
itself out to in the files with certain extensions stored on the affected
computer. To do this, and to spread even wider, Bagle.BC copies itself to
all the directories whose name contains the text string 'shar', which are
usually shared folders. By doing this, it can easily spread across networks
and P2P applications. To achieve this aim, it uses a large number of
attractive names to entice users, such as ACDSee 9.exe, Adobe Photoshop 9
full.exe or Ahead Nero 7.exe, and many others.

Bagle.BC also ends the processes of many antivirus and security programs,
leaving the computer vulnerable to attack from other malicious code, making
Bagle.BC an even more dangerous worm. However, Bagle.BC cannot deactivate
the TruPrevent Technologies, and therefore, computers with this protection
installed are perfectly safe from this worm.

Another dangerous effect of Bagle.BC is that it opens the TCP communications
port 81, allowing a hacker to carry out remote attacks. It also tries to
download a file called G.JPG from certain Internet addresses.

In order to ensure that it is always present on computers, Bagle.BC creates
three copies of itself called wingo.exe, wingo.exeopen and
wingo.exeopenopen, and inserts an entry in the Windows Registry to ensure it
is run whenever the computer is started up.

According to Luis Corrons, head of PandaLabs, "Bagle.BC is here to pick up
the cyberwar that started a few months ago between several groups of virus
creators. This time, it is a malicious code that uses social engineering and
can spread extremely rapidly. These two characteristics make Bagle.BC a
particularly dangerous worm, as users have a high probability of receiving
an email message carrying this malicious code."

Panda Software's clients can already access the updates for installing the
new TruPrevent Technologies along with their antivirus protection, providing
a preventive layer of protection against this and other new malicious code.
For users with a different antivirus program installed, Panda TruPrevent
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent
Technologies at http://www.pandasoftware.com/truprevent.

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

MADRID, October 29, 2004 - The Bagle.BC worm is increasing its already high
rate of propagation, causing more and more incidents in users' computers
worldwide. Just a few hours after it appeared, it has made the top half of
the ranking of the viruses most frequently detected by the online antivirus
scanner, Panda ActiveScan. Even so, the number of incidents caused by this
worm is expected to continue increasing and new variants are expected to
emerge over the next few hours.

This has prompted Panda Software to declare a Red Virus Alert as a
preventive measure, so that all users can protect themselves against these
worms and prevent their computers from being infected. Similarly, companies
also risk their communications being slowed down by the large number of
emails that mail servers will have to process.

In addition to this worm, PandaLabs has detected the appearance of the two
new variants, BD and BE, of the same worm. As with Bagle.BC, Panda Software
clients that have already installed the new TruPrevent Technologies have
preventive protection against these worms, as they were able to detect and
block these new variants of the Bagle worm without needing to be able to
identify them first (more information about the new TruPrevent Technologies
at http://www.pandasoftware.com/truprevent).

Panda Software has made the corresponding updates available to its clients
to detect and disinfect these new worms. What's more, it has made its free
PQRemove utility available to all users to effectively detect and eliminate
Bagle.BC from computers affected by this worm. Users can download this
utility from http://www.pandasoftware.com/download/utilities/

With the appearance of these new variants, the objective of the authors of
these worms is obvious: release the maximum number of malicious code to
increase the huge probability of computers being hit by one of them.
According to Luis Corrons: "this is a technique that is being used more
often. Virus creators know that the reaction time to new threats is
critical, and therefore, the faster they can release various viruses, the
easier it is for users to take too long to update their system. This problem
is resolved with our TruPrevent Technologies, which have blocked these new
worms without users needing to do a thing."

The new variants detected are very similar to Bagle.BC, a worm that spreads
via email, networks and P2P applications like KaZaA. However, they do have
some difference, such as the number of files they generate on the computers
they infect.

The three new Bagle worms share the fact that they have been designed to end
the processes belonging to antivirus and security applications running in
memory. However, none of these worms can affect the functioning of the
TruPrevent Technologies.

To prevent incidents involving the new variants of Bagle, Panda Software
advises users to take precautions and to keep their antivirus software
updated.

Panda Software's clients can already access the updates for installing the
new TruPrevent Technologies along with their antivirus protection, providing
a preventive layer of protection against these and other new malicious code.
For users with a different antivirus program installed, Panda TruPrevent
Personal is the perfect solution, as it is both compatible with and
complements these products, providing a second layer of preventive
protection that acts while the new virus is still being studied and the
corresponding update is incorporated into traditional antivirus programs,
decreasing the risk of infection. More information about TruPrevent
Technologies at http://www.pandasoftware.com/truprevent

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

Madrid, October 29, 2004 - PandaLabs has detected the appearance of the BC
variant of the Bagle worm. This new malicious code has started spreading
rapidly, causing numerous incidents in users' computers around the globe.
For this reason, Panda Software has declared a red alert. Panda Software
clients that have already installed the new TruPrevent Technologies have
preventive protection against this worm, as they were able to detect and
block this new virus without needing to be able to identify it first (more
information about the new TruPrevent Technologies at
http://www.pandasoftware.com/truprevent). Panda Software has made the
corresponding updates available to its clients to detect and disinfect this
new malicious code.

This has prompted Panda Software to declare a Red Virus Alert as a
preventive measure, so that all users can protect themselves against this
worm and prevent their computers from being infected. Similarly, companies
also risk their communications being slowed down by the large number of
emails that mail servers will have to process.

Bagle.BC spreads rapidly via email. The messages carrying this worm have the
following characteristics:

What's more, Bagle.BC spoofs the address of the sender of the email message
that causes the infection.

If the user runs the attachment, Bagle.BC looks for email addresses to send
itself out to in the files with certain extensions stored on the affected
computer. To do this, and to spread even wider, Bagle.BC copies itself to
all the directories whose name contains the text string 'shar', which are
usually shared folders. By doing this, it can easily spread across networks
and P2P applications. To achieve this aim, it uses a large number of
attractive names to entice users, such as ACDSee 9.exe, Adobe Photoshop 9
full.exe or Ahead Nero 7.exe, and many others.

Bagle.BC also ends the processes of many antivirus and security programs,
leaving the computer vulnerable to attack from other malicious code, making
Bagle.BC an even more dangerous worm. However, Bagle.BC cannot deactivate
the TruPrevent Technologies, and therefore, computers with this protection
installed are perfectly safe from this worm.

Another dangerous effect of Bagle.BC is that it opens the TCP communications
port 81, allowing a hacker to carry out remote attacks. It also tries to
download a file called G.JPG from certain Internet addresses.

In order to ensure that it is always present on computers, Bagle.BC creates
three copies of itself called wingo.exe, wingo.exeopen and
wingo.exeopenopen, and inserts an entry in the Windows Registry to ensure it
is run whenever the computer is started up.

PandaLabs has detected the appearance of the two new variants, BD and BE, of
the same worm. As with Bagle.BC, Panda Software clients that have already
installed the new TruPrevent Technologies have preventive protection against
these worms, as they were able to detect and block these new variants of the
Bagle worm without needing to be able to identify them first.

Panda Software has made the corresponding updates available to its clients
to detect and disinfect these new worms. What's more, it has made its free
PQRemove utility available to all users to effectively detect and eliminate
Bagle.BC from computers affected by this worm. Users can download this
utility from the following address:
http://www.pandasoftware.com/download/utilities/

NOTE: The addresses above may not show up on your screen as single lines.
This would prevent you from using the links to access the web pages. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL.

As of October 29, 2004 9:40 AM (GMT -7:00; Daylight Saving Time), TrendLabs has
declared a Medium Risk Virus Alert to control the spread of WORM_BAGLE.AU.
TrendLabs has received several infection reports indicating that this malware is
spreading in US, Japan, Sweden, Germany, Mexico, France, Argentina, Chile,
Brazil, and Canada.

Like other BAGLE variants, the success of this worm may be attributed to its
plain and brief email messages that bear the following details:

This worm scans an infected system for files with certain extension names to
acquire its target recipients. It then uses its own SMTP engine and the domain
servers of its harvested email addresses for its mailing routine. Unsuspecting
users may then receive email messages from trusted acquaintances and readily
execute the attachment, thus launching this worm.

When run, it proceeds to drop copies of itself in folders with names containing
the text string shar, or in shared folders. It also uses file names that appear
legitimate and attractive. This enables this worm to propagate through the
network as other users may accidentally download a copy of this worm thinking it
is a normal application or a text file.

This worm also compromises system security by terminating several antivirus and
security-related applications if found active on a system. It also connects to a
list of Web sites where it may download components. It also opens port 81
possibly for its backdoor activities.

Continuing a notable BAGLE routine, it attacks another worm family known as
NETSKY. It deletes several registry entries and file names associated with
NETSKY. It also creates several mutexes that prevent the execution of NETSKY
variants on the infected machine.

----------------------------------------------o0o----
IMPORTANT NOTE!
TrendLabs will also be releasing a 3-digit pattern file that corresponds with
the pattern indicated in this email. This 3-digit pattern is a special release
for users running non-NPF compliant products (i.e., old 3-digit pattern format)
and is designed to provide protection against the most current malware threats.
Users running non-NPF compliant products are still urged to apply the NPF
solution http://www.trendmicro.com/en/support/npf/overview.htm. These users
may also upgrade to the latest product version. Only NPF-compliant products will
be able to update with regular pattern releases.

Madrid, October 31, 2004 - This week's report will look at seven worms
-Bagle.BC, Zafi.C, the B and C variants of Famus, Swash.A, Buchon.A and
Buchon.B- and a spyware application known as Spyware/Spydeleter.

Bagle.BC spreads via email in a message with variable characteristics,
through P2P (peer-to-peer) file sharing programs, and across networks. It
opens TCP port 81 and listens in on the communications for a remote
connection. Through this connection, the worm will allow remote access to
the affected computer. This would allow a remote user to carry out actions
that could compromise the confidentiality of user data or impede the tasks
carried out. What's more, Bagle.BC ends the processes belonging to security
tools, such as antivirus applications, leaving the computer vulnerable to
attack from other malware.

Zafi.C spreads through peer-to-peer (P2P) file sharing programs and via
email. To spread via email it uses its own SMTP engine and sends itself to
the addresses whose domain does not contain certain text strings. It obtains
these addresses from the files with a htm, wab, txt, dbx, tbb, asp, php,
sht, adb, mbx, eml or pmr extension it finds on the affected computer.

The language of the message sent by Zafi.C varies depending on the extension
of the domain to which the message is sent. If the domain corresponds to the
following countries: Germany, the Czech Republic, Denmark, Spain, Finland,
France, Holland, Hungary, Italy, Lithuania, Norway, Poland or Sweden, the
text will appear in the corresponding languages, and if not, it will be in
English.

Zafi.C tries to launch Denial of Service (DoS) attacks against three
websites belonging to Google, Microsoft and the Hungarian Prime Minister.
What's more, it ends the processes containing the strings 'firewall' and
'virus', and blocks access to applications that include the text 'reged',
'msconfig2' and 'task2'.

The next worms we will look at are the B and C variants of Famus. Both these
worms spread via email in a file attached to a message written in English
and Spanish, which uses social engineering techniques to spread to as many
computers as possible. The message tries to trick users into opening the
attachment by making them believe it contains interesting images of the
conflict in Iraq. When the file is run, they display a false error message
on screen and send themselves out to the addresses they find in the files
with a doc, eml, htm, or htt extension on the affected computer.

Famus.B and Famus.C also collect data from infected computer, such as the
mail account, server, user name, version of Windows, etc., and sends them to
the author of the code.

Swash.A is a worm that spreads via email in a message with variable
characteristics and through P2P file sharing programs. It ends the processes
belonging to security programs, like antivirus programs and firewalls, and
blocks access to the websites of the main developers of antivirus software.
Due to these actions, Swash.A leaves the infected computer vulnerable to
other malware.

The last worms in today's report are Buchon.A and Buchon.B, which spread via
email. A curious characteristic of these worms is that once they are run,
they wait ten minutes before starting to send out infected messages. The
difference between these two variants is that variant B was compiled seven
hours later and that it checks the system date before waiting ten minutes to
send itself out via email.

We are going to finish today's report with Spyware/Spydeleter, a spyware
application that is automatically downloaded when users visit web pages
containing links to malicious Java scripts, which try to install it. Once it
has been installed on a computer, Spyware/Spydeleter downloads other spyware
applications via FTP. Similarly it creates several processes and leaves them
memory resident so that they are running at all times.

Spyware/Spydeleter creates several entries in the Windows Registry in the
affected computer, whose most significant effect is that they change the
home page of Microsoft Internet Explorer for another page warning the user
that the computer could be infected by spyware. This page contains a link
where the user can supposedly find help to clean the computer. However, if
the user clicks on this link, a page opens from which the application Spy
Deleter is downloaded, which will delete the spyware application for the 29
dollars, and which has apparently been programmed by the same person that
created and distributed Spyware/Spydeleter.

Users affected by Spyware/Spydeleter will also find that two links called
'Click to Remove Spyware' and 'Remove Spyware Now' have been created on
their desktop which point to this purchase page.

NOTE: The address above may not show up on your screen as a single line.
This would prevent you from using the link to access the web page. If this
happens, just use the 'cut' and 'paste' options to join the pieces of the
URL._________________RFID tags! SPYWARE
Tired of proprietary Cor-pirationware?
http://www.openoffice.org/
Installing Vista http://tinyurl.com/2l9qyd